OpenSSL commands (for Linux)

Source: Internet
Author: User
Tags modulus openssl library openssl rsa openssl x509 pkcs12 openssl commands asymmetric encryption
Encryption Algorithm:

Symmetric encryption algorithm:

Des, idea, RC2, RC4, AES, Skipjack ......

Asymmetric encryption algorithm:

RSA, DSA, diffiehellman, PKCS, PGP ......

The one-way hash algorithm is a packet Digest algorithm, although some are also from the OpenSSL library.

Command operation:

1. generate a common private key:

[Weigw @ test SRC] $ OpenSSL genrsa-out privatekey. Key 1024

Generating RSA private key, 1024 bit long modulus... ++... e is 65537 (0x10001)

2. Generate a key with an encrypted password:

[Weigw @ test SRC] $ OpenSSL genrsa-des3-out privatekey. Key 1024

Generating RSA private key, 1024 bit long modulus ............ ++ ..................... ++ e is 65537 (0x10001) enter pass phrase for privatekey. key: verifying-enter pass phrase for privatekey. key:


When generating a key with an encrypted password, you must enter the password yourself. The following algorithms are provided for key encryption:

-DES encrypt the generated key with DES in CBC Mode

-Des3 encrypt the generated key with DES in Ede CBC mode (168 bit key)

-Aes128,-aes192,-aes256 encrypt PEM output with CBC AES

Password for removing the key:

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-out

Privatekey. Key enter pass phrase for privatekey. Key: Writing RSA key


Generate a certificate using the generated private key:

[Weigw @ test SRC] $ OpenSSL req-New-X509-key privatekey. Key-out cacert. CRT-days 1095

You are about to be asked to enter information that will be ininitialized into your certificate request.

What you are about to enter is what is called a distinguished name or a DN. there are quite a few fields but you can leave some blank for some fields there will be a default value, if you enter '. ', the field will be left blank.

-----

Country name (2 letter code) [GB]: CN

State or province name (full name) [Berkshire]: Beijing

Locality name (eg, city) [Newbury]: Beijing

Organization Name (eg, company) [My Company Ltd]: wondersoft

Organizational unit name (eg, section) []: Develop

Common name (eg, your name or your server's hostname) []: weigw

Email Address []: weigongwan@sina.com

Enter personal information as prompted when generating the certificate.

Generate a public key using the private key:

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-pubout-out pubkey. Key writing RSA key

Format conversion: (certificate, private key, Public Key) (PEM <-----> der)

[Weigw @ test SRC] $ OpenSSL X509-In cacert. CRT-inform PEM-out cacert. Der-outform der

[Weigw @ test SRC] $

 

[Weigw @ test SRC] $ OpenSSL RSA-In privatekey. Key-inform PEM-out privatekey. Der-outform der

Writing RSA key

[Weigw @ test SRC] $ OpenSSL RSA-pubin-In pubkey. Key-inform PEM-pubout-out pubkey. Der-outform der

Writing RSA key

Convert the DER format to the PEM format, that is, change the inform format to the deroutform format to the PEM format.

The following is a certificate and Private Key Generation Method for server and client authentication: (server. CRT, client. CRT, Ca. CRT)

Step 1: generate a private key

 


      [weigw@TEST bin]$ openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus .++++++ ...........++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out client.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ................++++++ e is 65537 (0x10001) [weigw@TEST bin]$ openssl genrsa -out ca.key 1024Generating RSA private key, 1024 bit long modulus .........++++++ .........++++++ e is 65537 (0x10001) [weigw@TEST bin]$

 

Step 3: apply for a certificate (sign the request file)

[Weigw @ test bin] $ OpenSSL ca-in server. CSR-out server. CRT-Cert CA. CRT-Keyfile ca. Key

[Weigw @ test bin] $ OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key

If an error occurs in this step:

[Weigw @ test bin] $ OpenSSL ca-in client. CSR-out client. CRT-Cert CA. CRT-Keyfile ca. Key

Using configuration from/usr/share/SSL/OpenSSL. cnf I am unable to access the./democa/newcerts directory./democa/newcerts: no such file or directory

[Weigw @ test bin] $

Manually create a ca directory structure:
[Weigw @ test bin] $ mkdir./democa
[Weigw @ test bin] $ mkdir democa/newcerts
Create an empty file:
[Weigw @ test bin] $ VI democa/index.txt
Write 01 to the file:
[Weigw @ test bin] $ VI democa/serial

Merge the Certificate file (CRT) and private key file (key ):

[Weigw @ test bin] $ cat client. CRT client. Key> client. pem [weigw @ test bin] $ cat server. CRT server. Key> server. pem

Merged into a pfx certificate:

[Weigw @ test bin] $ OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. p12

Enter export password:

Verifying-enter export password:

[Weigw @ test bin] $ OpenSSL PKCS12-export-clcerts-in server. CRT-inkey server. Key-out server. p12
Enter export password:
Verifying-enter export password:

Trusted certificate:

[Weigw @ test bin] $ OpenSSL PKCS12-in client. p12-out client.txt enter import password:

Mac verified OK

Enter PEM pass phrase: verifying-enter PEM pass phrase:

[Weigw @ test bin] $ OpenSSL PKCS12-in server. p12-out server.txt

Enter import password:

Mac verified OK

Enter PEM pass phrase: verifying-enter PEM pass phrase:

Screen mode: (certificate, private key, public key)

[Weigw @ test bin] $ OpenSSL X509-in client. CRT-noout-text-Modulus

[Weigw @ test bin] $ OpenSSL RSA-in server. Key-noout-text-Modulus

[Weigw @ test bin] $ OpenSSL RSA-in server. Pub-noout-text-Modulus

Obtain DH:

[Weigw @ test bin] $ OpenSSL dhparam-out dh1024.pem 1024

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.